-
Notifications
You must be signed in to change notification settings - Fork 95
388 lines (359 loc) · 17.6 KB
/
pull_request_secure.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
# Jobs in this workflow deal with secrets.
# Since they may be executed from forks by untrusted users,
# we need to ensure that the user is a member of the organization
# or that there is explicit approval for their jobs to run.
name: Secured Workflow
on:
push:
branches: [ main ]
# There are two differences to "pull_request" here:
# - The workflow will receive secrets, even in PRs from forks.
# - The workflow will be executed automatically, without requiring a manual approval.
# Therefore the workflow needs to be explicitly secured; see "known_user" and "approval_required" jobs below.
pull_request_target:
branches: [ main ] # Benchmarks aren't branched, so they will only ever work against current main.
types:
- opened
- reopened
- synchronize
paths-ignore:
- 'LICENSE*'
- '.gitignore'
- '**.md'
- '**.adoc'
- '*.txt'
jobs:
# Check if the user is a member of the organization; if so, allow the PR to sail through.
known_user:
runs-on: ubuntu-latest
outputs:
is_member_of_org: ${{ steps.auth_check.outputs.authorized }}
steps:
- id: auth_check
env:
GH_TOKEN: ${{ secrets.JRELEASER_GITHUB_TOKEN }} # Release account is a Solver Gatekeeper.
shell: bash
run: |
# -g to allow actors such as dependabot[bot]
ORG_MEMBERSHIP=`curl -g -L -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $GH_TOKEN" "https://api.github.com/orgs/TimefoldAI/memberships/${{ github.actor }}" | jq -r '.state == "active"'`
echo "authorized=$ORG_MEMBERSHIP" >> "$GITHUB_OUTPUT"
- id: validation
shell: bash
run: |
echo "Authorized user: ${{ steps.auth_check.outputs.authorized }}"
# If the user is not a member, require a member to approve the PR.
approval_required:
needs: known_user
environment:
${{
github.event_name == 'pull_request_target' &&
github.event.pull_request.head.repo.full_name != github.repository &&
(needs.known_user.outputs.is_member_of_org != 'true' || github.actor == 'dependabot[bot]') &&
'external' || 'internal'
}}
runs-on: ubuntu-latest
steps:
- run: true
integration-tests:
needs: approval_required
name: Integration Tests
runs-on: ubuntu-latest
concurrency:
group: pr-${{ github.event_name }}-${{ github.head_ref }}
cancel-in-progress: true
steps:
# Clone timefold-solver
# No need to check for stale repo, as Github merges the main repo into the fork automatically.
- name: Checkout timefold-solver
uses: actions/checkout@v4
with:
path: ./timefold-solver
ref: ${{ github.event.pull_request.head.sha }} # The GHA event will pull the main branch by default, and we must specify the PR reference version
- name: Setup Temurin 17 and Maven
uses: actions/setup-java@v4
with:
java-version: '21'
distribution: 'temurin'
cache: 'maven'
- name: Quickly build timefold-solver
working-directory: ./timefold-solver
shell: bash
run: mvn -B -Dquickly clean install
# Clone timefold-solver-enterprise
- name: Checkout timefold-solver-enterprise (PR) # Checkout the PR branch first, if it exists
id: checkout-solver-enterprise
uses: actions/checkout@v4
continue-on-error: true
with:
repository: TimefoldAI/timefold-solver-enterprise
ref: ${{ github.head_ref }}
token: ${{ secrets.JRELEASER_GITHUB_TOKEN }} # Safe; only used to clone the repo and not stored in the fork.
path: ./timefold-solver-enterprise
fetch-depth: 0 # Otherwise merge will fail on account of not having history.
- name: Checkout timefold-solver-enterprise (main) # Checkout the main branch if the PR branch does not exist
if: steps.checkout-solver-enterprise.outcome != 'success'
uses: actions/checkout@v4
with:
repository: TimefoldAI/timefold-solver-enterprise
ref: main
token: ${{ secrets.JRELEASER_GITHUB_TOKEN }} # Safe; only used to clone the repo and not stored in the fork.
path: ./timefold-solver-enterprise
fetch-depth: 0 # Otherwise merge will fail on account of not having history.
- name: Quickly build timefold-solver-enterprise
working-directory: ./timefold-solver-enterprise
shell: bash
run: mvn -B -Dquickly clean install
# Clone timefold-solver-benchmarks
- name: Checkout timefold-solver-benchmarks (PR) # Checkout the PR branch first, if it exists
if: github.head_ref # Only true if this is a PR.
id: checkout-solver-benchmarks-pr
uses: actions/checkout@v4
continue-on-error: true
with:
repository: TimefoldAI/timefold-solver-benchmarks
ref: ${{ github.head_ref }}
path: ./timefold-solver-benchmarks
fetch-depth: 0 # Otherwise merge will fail on account of not having history.
- name: Checkout timefold-solver-benchmarks (main) # Checkout the main branch if the PR branch does not exist
if: ${{ steps.checkout-solver-benchmarks-pr.outcome != 'success' }}
uses: actions/checkout@v4
with:
repository: TimefoldAI/timefold-solver-benchmarks
ref: main
path: ./timefold-solver-benchmarks
fetch-depth: 0 # Otherwise merge will fail on account of not having history.
- name: Build and test timefold-solver-benchmarks
working-directory: ./timefold-solver-benchmarks
shell: bash
run: mvn -B -DskipJMH clean verify
enterprise-java:
needs: approval_required
name: Enterprise Edition (Java)
runs-on: ubuntu-latest
concurrency:
group: downstream-enterprise-${{ github.event_name }}-${{ github.head_ref }}
cancel-in-progress: true
timeout-minutes: 120
steps:
# Clone timefold-solver
# No need to check for stale repo, as Github merges the main repo into the fork automatically.
- name: Checkout timefold-solver
uses: actions/checkout@v4
with:
path: ./timefold-solver
ref: ${{ github.event.pull_request.head.sha }} # The GHA event will pull the main branch by default, and we must specify the PR reference version
# Clone timefold-solver-enterprise
# Need to check for stale repo, since Github is not aware of the build chain and therefore doesn't automate it.
- name: Checkout timefold-solver-enterprise (PR) # Checkout the PR branch first, if it exists
id: checkout-solver-enterprise
uses: actions/checkout@v4
continue-on-error: true
with:
repository: TimefoldAI/timefold-solver-enterprise
ref: ${{ github.head_ref }}
token: ${{ secrets.JRELEASER_GITHUB_TOKEN }} # Safe; only used to clone the repo and not stored in the fork.
path: ./timefold-solver-enterprise
fetch-depth: 0 # Otherwise merge will fail on account of not having history.
- name: Checkout timefold-solver-enterprise (main) # Checkout the main branch if the PR branch does not exist
if: steps.checkout-solver-enterprise.outcome != 'success'
uses: actions/checkout@v4
with:
repository: TimefoldAI/timefold-solver-enterprise
ref: main
token: ${{ secrets.JRELEASER_GITHUB_TOKEN }} # Safe; only used to clone the repo and not stored in the fork.
path: ./timefold-solver-enterprise
fetch-depth: 0 # Otherwise merge will fail on account of not having history.
# Build and test
- name: Setup Temurin 17 and Maven
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'
cache: 'maven'
- name: Quickly build timefold-solver
working-directory: ./timefold-solver
shell: bash
run: mvn -B -Dquickly clean install
- name: Build and test timefold-solver-enterprise
working-directory: ./timefold-solver-enterprise
shell: bash
run: mvn -B clean verify
enterprise-python:
needs: approval_required
name: Enterprise Edition (Python)
concurrency:
group: downstream-enterprise-python-${{ github.event_name }}-${{ github.head_ref }}
cancel-in-progress: true
timeout-minutes: 120
runs-on: ubuntu-latest
steps:
- name: Check out repository code
uses: actions/checkout@v4
with:
path: './timefold-solver'
ref: ${{ github.event.pull_request.head.sha }} # The GHA event will pull the main branch by default, and we must specify the PR reference version
# Clone timefold-solver-enterprise
# Need to check for stale repo, since Github is not aware of the build chain and therefore doesn't automate it.
- name: Checkout timefold-solver-enterprise (PR) # Checkout the PR branch first, if it exists
id: checkout-solver-enterprise
uses: actions/checkout@v4
continue-on-error: true
with:
repository: TimefoldAI/timefold-solver-enterprise
ref: ${{ github.head_ref }}
token: ${{ secrets.JRELEASER_GITHUB_TOKEN }} # Safe; only used to clone the repo and not stored in the fork.
path: ./timefold-solver-enterprise
fetch-depth: 0 # Otherwise merge will fail on account of not having history.
- name: Checkout timefold-solver-enterprise (main) # Checkout the main branch if the PR branch does not exist
if: steps.checkout-solver-enterprise.outcome != 'success'
uses: actions/checkout@v4
with:
repository: TimefoldAI/timefold-solver-enterprise
ref: main
token: ${{ secrets.JRELEASER_GITHUB_TOKEN }} # Safe; only used to clone the repo and not stored in the fork.
path: ./timefold-solver-enterprise
fetch-depth: 0 # Otherwise merge will fail on account of not having history.
# Build and test
- name: Set up the JDK
uses: actions/setup-java@v4
with:
java-version: 17
distribution: 'temurin'
cache: 'maven'
# Need to install all Python versions in the same run for tox
- name: Python 3.10, Python 3.11, Python 3.12 Setup
uses: actions/setup-python@v5
with:
python-version: |
3.10
3.11
3.12
cache: 'pip'
cache-dependency-path: |
**/setup.py
- name: Install tox
run:
pip install tox build
- name: Build Timefold Solver for Python
working-directory: ./timefold-solver
run: python -m build
- name: Run tox on Timefold Solver Enterprise for Python test suite
working-directory: ./timefold-solver-enterprise
env:
PIP_FIND_LINKS: ${{ github.workspace }}/timefold-solver/dist
run: tox
build_documentation:
runs-on: ubuntu-latest
needs: approval_required
name: Build Documentation
environment:
name: "documentation (preview)"
url: ${{ steps.deploy.outputs.deployment-url }}
env:
BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
steps:
- name: Checkout frontend
id: checkout-frontend
uses: actions/checkout@v4
with:
repository: TimefoldAI/frontend
token: ${{ secrets.JRELEASER_GITHUB_TOKEN }} # Safe; only used to clone the repo and not stored in the fork.
fetch-depth: 0 # Otherwise merge will fail on account of not having history.
- name: Set up NodeJs
uses: actions/setup-node@v4
with:
node-version-file: .nvmrc
cache: npm
- name: Checkout timefold-solver
uses: actions/checkout@v4
with:
repository: "${{ github.event.pull_request.head.repo.owner.login || 'TimefoldAI' }}/timefold-solver"
ref: ${{ github.event.pull_request.head.sha || 'main' }} # The GHA event will pull the main branch by default, and we must specify the PR reference version
path: "./timefold-solver"
fetch-depth: 0
- name: Install yq
run: |
sudo wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq
sudo chmod +x /usr/bin/yq
- name: Updating Antora configuration
working-directory: "./timefold-solver"
run: |
echo "=== Updating antora.yml"
cp docs/src/antora-template.yml docs/src/antora.yml
sed -i "s/\${project\.version}b0/SNAPSHOT/g" docs/src/antora.yml
sed -i "s/\${project\.version}/SNAPSHOT/g" docs/src/antora.yml
sed -i "s/\${maven\.compiler\.release}/$(find build/build-parent/ -name pom.xml -exec grep '<maven.compiler.release>' {} \;|tail -n 1|cut -d\> -f1 --complement|cut -d\< -f1)/g" docs/src/antora.yml
sed -i "s/\${maven\.min\.version}/$(find build/build-parent/ -name pom.xml -exec grep '<maven.min.version>' {} \;|tail -n 1|cut -d\> -f1 --complement|cut -d\< -f1)/g" docs/src/antora.yml
sed -i "s/\${version\.io\.quarkus}/$(find build/build-parent/ -name pom.xml -exec grep '<version.io.quarkus>' {} \;|tail -n 1|cut -d\> -f1 --complement|cut -d\< -f1)/g" docs/src/antora.yml
sed -i "s/\${version\.org\.springframework\.boot}/$(find build/build-parent/ -name pom.xml -exec grep '<version.org.springframework.boot>' {} \;|tail -n 1|cut -d\> -f1 --complement|cut -d\< -f1)/g" docs/src/antora.yml
sed -i "s/\${version\.ch\.qos\.logback}/$(find build/build-parent/ -name pom.xml -exec grep '<version.ch.qos.logback>' {} \;|tail -n 1|cut -d\> -f1 --complement|cut -d\< -f1)/g" docs/src/antora.yml
sed -i "s/\${version\.exec\.plugin}/$(find build/build-parent/ -name pom.xml -exec grep '<version.exec.plugin>' {} \;|tail -n 1|cut -d\> -f1 --complement|cut -d\< -f1)/g" docs/src/antora.yml
sed -i "s/\${version\.rewrite\.plugin}/$(find . -name pom.xml -exec grep '<version.rewrite.plugin>' {} \;|tail -n 1|cut -d\> -f1 --complement|cut -d\< -f1)/g" docs/src/antora.yml
cat docs/src/antora.yml
- name: Build Documentation
working-directory: "./"
env:
GIT_CREDENTIALS: ${{ secrets.GIT_CREDENTIALS }}
run: |
yq -i e 'del(.content.sources)' apps/docs/antora-playbook.yml
yq -i e 'del(.site.keys)' apps/docs/antora-playbook.yml
yq -i e '.content.sources += [{"url": "../../timefold-solver", "start_path": "docs/src"}]' apps/docs/antora-playbook.yml
npm ci
npm run build -- --filter docs
- name: Deploy Documentation (Preview Mode)
if: ${{ env.BRANCH_NAME != 'main' }}
id: deploy
uses: cloudflare/wrangler-action@v3
with:
apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
workingDirectory: ./apps/docs
command: pages deploy ./public-serve --project-name=timefold-docs --branch=${{ github.ref }}
sonarcloud:
needs: approval_required
name: SonarCloud
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
ref: ${{ github.event.pull_request.head.sha }} # The GHA event will pull the main branch by default, and we must specify the PR reference version
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
java-version: 17
distribution: 'temurin'
cache: 'maven'
- name: Python 3.10, Python 3.11, Python 3.12 Setup
uses: actions/setup-python@v5
with:
python-version: |
3.10
3.11
3.12
cache: 'pip'
cache-dependency-path: |
**/setup.py
- name: Install tox
run:
pip install tox coverage pytest pytest-cov
- name: Cache SonarCloud packages
uses: actions/cache@v4
with:
path: ~/.sonar/cache
key: ${{ runner.os }}-sonar
restore-keys: ${{ runner.os }}-sonar
- name: Build with Maven to measure code coverage # The ENV variables are limited to the scope of the current step. Avoid adding sensitive ENV variables here as the tests could leak them.
run: mvn -B clean install -Prun-code-coverage
- name: Get JaCoCo Agent
run: mvn org.apache.maven.plugins:maven-dependency-plugin:2.8:get -Dartifact=org.jacoco:org.jacoco.agent:0.8.11:jar:runtime -Ddest=target/jacocoagent.jar
- name: Run tox to measure timefold solver python code coverage from Python tests
run: python -m tox -- --cov=timefold --cov-report=xml:target/coverage.xml --cov-config=tox.ini --cov-branch --cov-append --jacoco-agent=./target/jacocoagent.jar
- name: Run tox to measure jpyinterpreter code coverage from Python tests
working-directory: ./python/jpyinterpreter
run: python -m tox -- --cov=jpyinterpreter --cov-report=xml:target/coverage.xml --cov-config=tox.ini --cov-branch --cov-append --jacoco-agent=../../target/jacocoagent.jar --jacoco-output=../../target/jacoco.exec
- name: Run analysis
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Needed to run the SonarCloud analysis
run: mvn -B -Psonarcloud-analysis validate org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.organization=timefold -Dsonar.projectKey=ai.timefold:timefold-solver -Dsonar.host.url=https://sonarcloud.io -Dsonar.pullrequest.key=${{ github.event.pull_request.number }} -Dsonar.pullrequest.branch=${{ github.event.pull_request.head.ref }} -Dsonar.scm.revision=${{ github.event.pull_request.head.sha }}